[ANN][XCP] Counterparty - Pioneering Peer-to-Peer Finance - Official Thread

[romerun]

4/23 - URGENT SECURITY NOTICE


Thanks guys for working with us to get counterwallet (and bitcoinjs-lib) through this beta period. We remain committed to security of the web wallet, and will be continuing to make improvements on this front and work with our partners to do so.

Looks like the hacker stole... about 0.0005 BTC from me, but I could be wrong? which I'm not worried about, but its weird cause the blockchain shows I have 0.0007, while the wallet shows i have 0.0002.. I don't know if that means I was a victim of theft or not..

blockchain.info treats multisig fee differently, example: https://blockchain.info/address/1EGok6kAbJRrzryXAGyCHRq5c649rhzwJ3 , http://blockr.io/address/info/1EGok6kAbJRrzryXAGyCHRq5c649rhzwJ3

[nivs]

Any details on the specifics of the security bug in bitcoinjs-lib?

[PhantomPhreak]

4/23 - URGENT SECURITY NOTICE

With our focus on maximizing the security of Counterwallet, we now have two experts (a bitcoinjslib expert, and a web application security expert) in the process of reviewing the codebase.

What Happened
Due in part to this process, we have been notified of a security bug in bitcoinjs-lib (the bitcoin javascript library counterwallet uses) that was internally disclosed to us by the bitcoinjs-lib team yesterday evening. We worked with them on applying a fix, which was made live late last night and this security notice was drafted pending confirmation from the team. However it appears the bug has already been exploited in the wild to take BTC.

A list of these addresses is available here: https://blockchain.info/tx/474cce51a9c4b265d4da0257acb21a554563fd41200970996e2b8914dc6f1d68
(if you were a counterwallet user that was affected whose address is NOT on this list, please email dev@counterparty.co let us know)

Who is affected?
This bug affected The new counterwallet.co wallet (the old.counterwallet.co seems to be unaffected, and counterpartyd users / BootleXCP users are NOT affected). Also, the bug only affects addresses that have made two or more transactions from a given address, and then, will only affect that address. At this point, it appears only BTC was taken with a subset of counterwallet users.

What do I do?

To be safe, we are wanting ALL users with a wallet created on counterwallet.co to immediately go through the following procedure:

1. Log into your existing wallet account
2. Retrieve any copy down the private key for each address in your wallet (for each address, click on Address Actions, then Show Private Key, and copy that down)
3. Log out of the site, and then click Create New Wallet, and then log in with that new passphrase
4. Utilize the Import Funds feature to move the assets over.

Alternatively (if having problems with sweep), one can create the new wallet, then log into the old wallet and manually send the funds over. Please send over ALL funds, including XCP and other Counterparty assets.

I lost BTC. Can I get it back?
The Counterparty team is preparing a reimbursement program for people impacted by this bug. More details will be posted shortly.

EDIT: After creating your new wallet and transferring the funds over, send an email to dev@counterparty.co  including:

• a new address to which to send the reimbursed BTC funds
• the passphrase of the compromised wallet (i.e. the one with the address from which the funds were stolen). Please only send this passphrase after you have moved all of the funds out of this wallet. Unfortunately, we need this passphrase to prove that you are the actual owner of the address in this situation, as signing a message from the compromised address is not enough here, as the hacker could do that, as well.
  Please keep in mind that the Counterparty team will never ask for the passphrase of a wallet which holds funds

Thanks guys for working with us to get counterwallet (and bitcoinjs-lib) through this beta period. We remain committed to security of the web wallet, and will be continuing to make improvements on this front and work with our partners to do so.

Note that this bug was not a problem with the Counterparty Protocol or with counterpartyd, which were previously audited by Sergio Lerner. This was a bug that was very similar to the Android wallet one from a while back, and was with bitcoinjs-lib and Counterwallet, which (as stated above) are being audited right now.

[PhantomPhreak]

Any details on the specifics of the security bug in bitcoinjs-lib?

See this Gist: https://gist.github.com/dcousens/7a54e59a98e445c5ec2f

[DeathAndTaxes]

Cross posting here but I think it is important enough of a security concern to get some visibility.

For this and other reasons (flawed, weak, unverifiable or backdoored PRNG) developers should strongly consider using RFC6979 to create deterministic signatures.  The k value does not need to be random it only needs to be a nonce (number used once) and unknown to the attacker. Transactions are already unique and the signer has something which is unknown to the public (private key).  This means it is possible to sign transactions without needing to rely on "random" elements.

http://tools.ietf.org/html/rfc6979

There are implementations in Python, C++, (and when I get a chance to do some refactoring C#).  Patching a k value flaw in bitcoinjs is good but a better option would be to incorporate RFC6979 into bitcoinjs to pre-empt the next critical flaw before it happens.

Code:

# Test Vectors for RFC 6979 ECDSA, secp256k1, SHA-256
# private key, message, expected k, expected signature

"01", "Satoshi Nakamoto", "8F8A276C19F4149656B280621E358CCE24F5F52542772691EE69063B74F15D15", "934b1ea10a4b3c1757e2b0c017d0b6143ce3c9a7e6a4a49860d7a6ab210ee3d82442ce9d2b916064108014783e923ec36b49743e2ffa1c4496f01a512aafd9e5"
"01", "All those moments will be lost in time, like tears in rain. Time to die...", "38AA22D72376B4DBC472E06C3BA403EE0A394DA63FC58D88686C611ABA98D6B3", "8600dbd41e348fe5c9465ab92d23e3db8b98b873beecd930736488696438cb6b547fe64427496db33bf66019dacbf0039c04199abb0122918601db38a72cfc21"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140", "Satoshi Nakamoto", "33A19B60E25FB6F4435AF53A3D42D493644827367E6453928554F43E49AA6F90", "FD567D121DB66E382991534ADA77A6BD3106F0A1098C231E47993447CD6AF2D06B39CD0EB1BC8603E159EF5C20A5C8AD685A45B06CE9BEBED3F153D10D93BED5"
"f8b8af8ce3c7cca5e300d33939540c10d45ce001b8f252bfbc57ba0342904181", "Alan Turing", "525A82B70E67874398067543FD84C83D30C175FDC45FDEEE082FE13B1D7CFDF1", "7063ae83e7f62bbb171798131b4a0564b956930092b33b07b395615d9ec7e15c58dfcc1e00a35e1572f366ffe34ba0fc47db1e7189759b9fb233c5b05ab388ea"
"e91671c46231f833a6406ccbea0e3e392c76c167bac1cb013f6f1013980455c2", "There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!", "1F4B84C23A86A221D233F2521BE018D9318639D5B8BBD6374A8A59232D16AD3D", "b552edd27580141f3b2a5463048cb7cd3e047b97c9f98076c32dbdf85a68718b279fa72dd19bfae05577e06c7c0c1900c371fcd5893f7e1d56a37d30174671f6"
"0000000000000000000000000000000000000000000000000000000000000001", "Everything should be made as simple as possible, but not simpler.", "EC633BD56A5774A0940CB97E27A9E4E51DC94AF737596A0C5CBB3D30332D92A5", "33a69cd2065432a30f3d1ce4eb0d59b8ab58c74f27c41a7fdb5696ad4e6108c96f807982866f785d3f6418d24163ddae117b7db4d5fdf0071de069fa54342262"
"fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140", "Equations are more important to me, because politics is for the present, but an equation is something for eternity.", "9DC74CBFD383980FB4AE5D2680ACDDAC9DAC956DCA65A28C80AC9C847C2374E4", "54c4a33c6423d689378f160a7ff8b61330444abb58fb470f96ea16d99d4a2fed07082304410efa6b2943111b6a4e0aaa7b7db55a07e9861d1fb3cb1f421044a5"
"fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140", "Not only is the Universe stranger than we think, it is stranger than we can think.", "FD27071F01648EBBDD3E1CFBAE48FACC9FA97EDC43BBBC9A7FDC28EAE13296F5", "ff466a9f1b7b273e2f4c3ffe032eb2e814121ed18ef84665d0f515360dab3dd06fc95f5132e5ecfdc8e5e6e616cc77151455d46ed48f5589b7db7771a332b283"

[Chang Hum]

How to be reimbursed

After creating your new wallet and transferring the funds over, send an email to dev@counterparty.co  including:

• a new address to which to send the reimbursed BTC funds
• the passphrase of the compromised wallet (i.e. the one with the address from which the funds were stolen). Please only send this passphrase after you have moved all of the funds out of this wallet. Unfortunately, we need this passphrase to prove that you are the actual owner of the address in this situation, as signing a message from the compromised address is not enough here, as the hacker could do that, as well.
  Please keep in mind that the Counterparty team will never ask for the passphrase of a wallet which holds funds

I've lost a bitcoin, as previously mentioned I also lost a very small amount from counterparty.old but wasn't to fussed about it (I assumed it was the reason for the update of wallets, so just made a brief post here about it).

That's really good of you, it's one of those things were I wouldn't have asked but since you've offered! So cheers

[hephaist0s]

That's amazing. This morning was the first time I attempted to use counterwallet.co to buy an asset (mostly just to try it out), but the sale didn't go through because it said I had insufficient BTC -- I tore my hair out about how this could be possible, saw that the whole .15BTC had been moved to a new address, finally came here and saw this. It seems my timing was exactly, perfectly bad.

I have followed the instructions on sweeping the key into a new wallet, and emailed the dev address. Any help is appreciated.

[Chang Hum]

That's amazing. This morning was the first time I attempted to use counterwallet.co to buy an asset (mostly just to try it out), but the sale didn't go through because it said I had insufficient BTC -- I tore my hair out about how this could be possible, saw that the whole .15BTC had been moved to a new address, finally came here and saw this. It seems my timing was exactly, perfectly bad.

I have followed the instructions on sweeping the key into a new wallet, and emailed the dev address. Any help is appreciated.

I've only ever had dust in mine, but withdrew a full bitcoin off an exchange that came through this morning arrggghhh!!

[BitcoinTangibleTrust]

To Xnova, PP and Cityglut:

I think this is big, for the core counterparty founders to come out of the dark. My thoughts are given the current environment, for a platform like counterparty to be taken seriously by the "business" community the need to put a face(s) behind the project is essential. Now that the core founders can come out openly and talk about the project, there is an increased accountability and the potential for more exposure (i.e via talk, interviews, conferences, etc)

May I be the first to say, thank you Robby, Adam and Evan (of the counterparty founders)

Cheers

Yes. Thank you Counterparty Team and best wishes for continued growth and success. Inside Bitcoins HK looks like an excellent opportunity!

[RawDog]

4/23 - URGENT SECURITY NOTICE

To be safe, we are wanting ALL users with a wallet created on counterwallet.co to immediately go through the following procedure:

How to be reimbursed

After creating your new wallet...

Oh God!  This looks very serious.  CounterParty is dying a very miserable death.  Floodgates are opening?  Sell now.  Robby, how could you over look this?  If I lose even more money on this I am going to be VERY pissed.  

Does anyone think they can recover?  

CounterParty: -6.21% again today.

[Anotheranonlol]

4/23 - URGENT SECURITY NOTICE

To be safe, we are wanting ALL users with a wallet created on counterwallet.co to immediately go through the following procedure:

How to be reimbursed

After creating your new wallet...

Oh God!  This looks very serious.  CounterParty is dying a very miserable death.  Floodgates are opening?  Sell now.  Robby, how could you over look this?  If I lose even more money on this I am going to be VERY pissed.  

Does anyone think they can recover?  

~7BTC theft, followed swiftly by a full public disclosure, a patch and a clear path for reimbursement, don't your panties in such a twist.
oh: you're a mastercoin supporter. surprising 

[freedomfighter]

4/23 - URGENT SECURITY NOTICE

To be safe, we are wanting ALL users with a wallet created on counterwallet.co to immediately go through the following procedure:

How to be reimbursed

After creating your new wallet...

Oh God!  This looks very serious.  CounterParty is dying a very miserable death.  Floodgates are opening?  Sell now.  Robby, how could you over look this?  If I lose even more money on this I am going to be VERY pissed.  

Does anyone think they can recover?  

CounterParty: -6.21% again today.

welcome to my ignore (colored biased trolls) list.

[freedomfighter]

4/23 - URGENT SECURITY NOTICE

With our focus on maximizing the security of Counterwallet, we now have two experts (a bitcoinjslib expert, and a web application security expert) in the process of reviewing the codebase.

What Happened
Due in part to this process, we have been notified of a security bug in bitcoinjs-lib (the bitcoin javascript library counterwallet uses) that was internally disclosed to us by the bitcoinjs-lib team yesterday evening. We worked with them on applying a fix, which was made live late last night and this security notice was drafted pending confirmation from the team. However it appears the bug has already been exploited in the wild to take BTC.

A list of these addresses is available here: https://blockchain.info/tx/474cce51a9c4b265d4da0257acb21a554563fd41200970996e2b8914dc6f1d68
(if you were a counterwallet user that was affected whose address is NOT on this list, please email dev@counterparty.co let us know)

Who is affected?
This bug affected The new counterwallet.co wallet (the old.counterwallet.co seems to be unaffected, and counterpartyd users / BootleXCP users are NOT affected). Also, the bug only affects addresses that have made two or more transactions from a given address, and then, will only affect that address. At this point, it appears only BTC was taken with a subset of counterwallet users.

What do I do?

To be safe, we are wanting ALL users with a wallet created on counterwallet.co to immediately go through the following procedure:

1. Log into your existing wallet account
2. Retrieve any copy down the private key for each address in your wallet (for each address, click on Address Actions, then Show Private Key, and copy that down)
3. Log out of the site, and then click Create New Wallet, and then log in with that new passphrase
4. Utilize the Import Funds feature to move the assets over.

Alternatively (if having problems with sweep), one can create the new wallet, then log into the old wallet and manually send the funds over. Please send over ALL funds, including XCP and other Counterparty assets.

I lost BTC. Can I get it back?
The Counterparty team is preparing a reimbursement program for people impacted by this bug. More details will be posted shortly.

EDIT: After creating your new wallet and transferring the funds over, send an email to dev@counterparty.co  including:

• a new address to which to send the reimbursed BTC funds
• the passphrase of the compromised wallet (i.e. the one with the address from which the funds were stolen). Please only send this passphrase after you have moved all of the funds out of this wallet. Unfortunately, we need this passphrase to prove that you are the actual owner of the address in this situation, as signing a message from the compromised address is not enough here, as the hacker could do that, as well.
  Please keep in mind that the Counterparty team will never ask for the passphrase of a wallet which holds funds

Thanks guys for working with us to get counterwallet (and bitcoinjs-lib) through this beta period. We remain committed to security of the web wallet, and will be continuing to make improvements on this front and work with our partners to do so.

Note that this bug was not a problem with the Counterparty Protocol or with counterpartyd, which were previously audited by Sergio Lerner. This was a bug that was very similar to the Android wallet one from a while back, and was with bitcoinjs-lib and Counterwallet, which (as stated above) are being audited right now.

Please publish an address for donations so that we could help out with damage recovery.

[dzarmush]

I've got around 0.03 btc stolen. I was lucky because all my XCP was set on sale.

Not asking for recovery though, there were plenty notifications about possible danger.

[Chang Hum]

Yeah publish a donation address, 1 bitcoin might be a lot to me or I might wing most of it! let's see how today go's! 

[Anotheranonlol]

new IPO on counterparty, crosspost from securities section:

https://bitcointalk.org/index.php?topic=581995.0

[PhantomPhreak]

Yeah publish a donation address, 1 bitcoin might be a lot to me or I might wing most of it! let's see how today go's!  

4/23 - URGENT SECURITY NOTICE

With our focus on maximizing the security of Counterwallet, we now have two experts (a bitcoinjslib expert, and a web application security expert) in the process of reviewing the codebase.

What Happened
Due in part to this process, we have been notified of a security bug in bitcoinjs-lib (the bitcoin javascript library counterwallet uses) that was internally disclosed to us by the bitcoinjs-lib team yesterday evening. We worked with them on applying a fix, which was made live late last night and this security notice was drafted pending confirmation from the team. However it appears the bug has already been exploited in the wild to take BTC.

A list of these addresses is available here: https://blockchain.info/tx/474cce51a9c4b265d4da0257acb21a554563fd41200970996e2b8914dc6f1d68
(if you were a counterwallet user that was affected whose address is NOT on this list, please email dev@counterparty.co let us know)

Who is affected?
This bug affected The new counterwallet.co wallet (the old.counterwallet.co seems to be unaffected, and counterpartyd users / BootleXCP users are NOT affected). Also, the bug only affects addresses that have made two or more transactions from a given address, and then, will only affect that address. At this point, it appears only BTC was taken with a subset of counterwallet users.

What do I do?

To be safe, we are wanting ALL users with a wallet created on counterwallet.co to immediately go through the following procedure:

1. Log into your existing wallet account
2. Retrieve any copy down the private key for each address in your wallet (for each address, click on Address Actions, then Show Private Key, and copy that down)
3. Log out of the site, and then click Create New Wallet, and then log in with that new passphrase
4. Utilize the Import Funds feature to move the assets over.Here you

Alternatively (if having problems with sweep), one can create the new wallet, then log into the old wallet and manually send the funds over. Please send over ALL funds, including XCP and other Counterparty assets.

I lost BTC. Can I get it back?
The Counterparty team is preparing a reimbursement program for people impacted by this bug. More details will be posted shortly.

EDIT: After creating your new wallet and transferring the funds over, send an email to dev@counterparty.co  including:

• a new address to which to send the reimbursed BTC funds
• the passphrase of the compromised wallet (i.e. the one with the address from which the funds were stolen). Please only send this passphrase after you have moved all of the funds out of this wallet. Unfortunately, we need this passphrase to prove that you are the actual owner of the address in this situation, as signing a message from the compromised address is not enough here, as the hacker could do that, as well.
  Please keep in mind that the Counterparty team will never ask for the passphrase of a wallet which holds funds

Thanks guys for working with us to get counterwallet (and bitcoinjs-lib) through this beta period. We remain committed to security of the web wallet, and will be continuing to make improvements on this front and work with our partners to do so.

Note that this bug was not a problem with the Counterparty Protocol or with counterpartyd, which were previously audited by Sergio Lerner. This was a bug that was very similar to the Android wallet one from a while back, and was with bitcoinjs-lib and Counterwallet, which (as stated above) are being audited right now.

Please publish an address for donations so that we could help out with damage recovery.

:

Donations for reimbursement due to recent bug in bitcoinjs-lib: 135FfhStvz2tuhxH8Y616GwGv2fJDE4bbC

We deeply appreciate any and all contributions to this fund. Except for what is given here, all reimbursement funds will come out of our own pockets.

[Matt Y]

http://www.reddit.com/r/CryptoCurrency/comments/23szud/issue_smart_property_with_counterparty/

[prophetx]

fyi new coin ranking site

http://www.coingecko.com/

matt looks like you need to start bringing up those social metrics

[porqupine]

Is it just my version or did everyone's say Beta on the top too?
I don't think there even needed to be a reimbursement.